Yet it's just a simple static website without scripts, cookies or any other dynamic content. If you need to specficy whatever random heades WHATWG comes up with each year for a static site to be secure then the problem is the browser not the website.
X-Content-Type-Options is in particular is 100% about browsers ignoring the spec and then making you set another header asking them to please reconsider.
Referer is another thing that should be 100% fixed on the browser side instead of each website asking the browser to please not leak information to other websites.
Then when you look at the scoring criteria [0] you see it even avards bonus points for setting cookies and using scripts as long as you do it in the currently fashionable way comapared to not using cookies/scripts at all. This is absolutely the wrong way around.
I got an F for a static site and upgraded it to A+ considering 120 but ultimately settling for a comfortable 110/100 as good as it gets score. Thank you for this. I had no idea
so my website pretty much is "hi" in index.html (two characters) and I got a "D". so to help me understand how to hack this installation, how can I use the websites evaluation to hack into it so I can understand the exploitation of the security holes I have obviously left open? Is there any guidance here?
11 comments
[ 1.0 ms ] story [ 58.5 ms ] threadNot the same, but also very helpful for https/tls
Content Security Policy (CSP) −25
X-Content-Type-Options −5
X-Frame-Options −20
Yet it's just a simple static website without scripts, cookies or any other dynamic content. If you need to specficy whatever random heades WHATWG comes up with each year for a static site to be secure then the problem is the browser not the website.
X-Content-Type-Options is in particular is 100% about browsers ignoring the spec and then making you set another header asking them to please reconsider.
Referer is another thing that should be 100% fixed on the browser side instead of each website asking the browser to please not leak information to other websites.
Then when you look at the scoring criteria [0] you see it even avards bonus points for setting cookies and using scripts as long as you do it in the currently fashionable way comapared to not using cookies/scripts at all. This is absolutely the wrong way around.
[0] https://developer.mozilla.org/en-US/observatory/docs/tests_a...
Edit: Figured I should point out that the old one had TLS and SSH stuff also, and the URL was https://observatory.mozilla.org.